about summary refs log tree commit diff
path: root/app/controllers
AgeCommit message (Collapse)Author
2018-10-12Improve signature verification safeguards (#8959)Eugen Rochko
* Downcase signed_headers string before building the signed string The HTTP Signatures draft does not mandate the “headers” field to be downcased, but mandates the header field names to be downcased in the signed string, which means that prior to this patch, Mastodon could fail to process signatures from some compliant clients. It also means that it would not actually check the Digest of non-compliant clients that wouldn't use a lowercased Digest field name. Thankfully, I don't know of any such client. * Revert "Remove dead code (#8919)" This reverts commit a00ce8c92c06f42109aad5cfe65d46862cf037bb. * Restore time window checking, change it to 12 hours By checking the Date header, we can prevent replaying old vulnerable signatures. The focus is to prevent replaying old vulnerable requests from software that has been fixed in the meantime, so a somewhat long window should be fine and accounts for timezone misconfiguration. * Escape users' URLs when formatting them Fixes possible HTML injection * Escape all string interpolations in Formatter class Slightly improve performance by reducing class allocations from repeated Formatter#encode calls * Fix code style issues
2018-10-12Improve signature verification safeguards (#8959)Eugen Rochko
* Downcase signed_headers string before building the signed string The HTTP Signatures draft does not mandate the “headers” field to be downcased, but mandates the header field names to be downcased in the signed string, which means that prior to this patch, Mastodon could fail to process signatures from some compliant clients. It also means that it would not actually check the Digest of non-compliant clients that wouldn't use a lowercased Digest field name. Thankfully, I don't know of any such client. * Revert "Remove dead code (#8919)" This reverts commit a00ce8c92c06f42109aad5cfe65d46862cf037bb. * Restore time window checking, change it to 12 hours By checking the Date header, we can prevent replaying old vulnerable signatures. The focus is to prevent replaying old vulnerable requests from software that has been fixed in the meantime, so a somewhat long window should be fine and accounts for timezone misconfiguration. * Escape users' URLs when formatting them Fixes possible HTML injection * Escape all string interpolations in Formatter class Slightly improve performance by reducing class allocations from repeated Formatter#encode calls * Fix code style issues
2018-10-11Set Content-Security-Policy rules through RoR's config (#8957)ThibG
* Set CSP rules in RoR's configuration * Override CSP setting in the embed controller to allow frames
2018-10-08Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-10-08Remove dead code (#8919)Eugen Rochko
SignatureVerification#matches_time_window? is not called anywhere.
2018-10-08Replace SVG asset with Custom mascot (#8766)ashleyhull-versent
2018-10-07Add conversations API (#8832)Eugen Rochko
* Add conversations API * Add web UI for conversations * Add test for conversations API * Add tests for ConversationAccount * Improve web UI * Rename ConversationAccount to AccountConversation * Remove conversations on block and mute * Change last_status_id to be a denormalization of status_ids * Add optimistic locking
2018-10-07Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-10-07Ensure only toots from the reported users are reported (#8916)ThibG
2018-10-05Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: db/migrate/20170716191202_add_hide_notifications_to_mute.rb spec/controllers/application_controller_spec.rb Took our version, upstream changes were only minor style linting.
2018-10-04Change admin accounts default sort to most recent (#8813)Eugen Rochko
2018-10-01Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/lib/user_settings_decorator.rb app/models/user.rb app/serializers/initial_state_serializer.rb app/views/stream_entries/_simple_status.html.haml config/locales/simple_form.en.yml config/locales/simple_form.ja.yml config/locales/simple_form.pl.yml config/routes.rb
2018-09-28Support min_id-based pagination in REST API (#8736)Eugen Rochko
* Allow min_id pagination in Feed#get * Add min_id pagination to home and list timeline APIs * Add min_id pagination to account statuses, public and tag APIs * Remove unused stub in reports API * Use min_id pagination in notifications, favourites, and fix order * Fix HomeFeed#from_database not using paginate_by_id
2018-09-25Add a new preference to always hide all media (#8569)ふぁぼ原
2018-09-24Cache instance info (#8765)Yamagishi Kazutoshi
2018-09-24Add user preference to always expand toots marked with content warnings (#8762)Matt Sweetman
2018-09-19Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: Vagrantfile app/javascript/packs/public.js app/views/admin/settings/edit.html.haml app/views/settings/preferences/show.html.haml app/views/settings/profiles/show.html.haml config/locales/es.yml config/locales/simple_form.en.yml config/webpack/configuration.js config/webpack/loaders/babel.js package.json yarn.lock Split new additions to app/javascript/packs/public.js to app/javascript/core/settings.js
2018-09-14Misc. typos (#8694)luzpaz
Found via `codespell -q 3 --skip="./app/javascript/mastodon/locales,./config/locales"`
2018-09-11Do not clear local storage on log outThibaut Girka
2018-09-11Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/controllers/oauth/authorizations_controller.rb Just two changes being too close to one another. Took both.
2018-09-09Add force_login option to OAuth authorize page (#8655)Eugen Rochko
* Add force_login option to OAuth authorize page For when a user needs to sign into an app from multiple accounts on the same server * When logging out from modal header, redirect back after re-login
2018-09-07feat(auth/session_controller): Send Clear-Site-Data when logging out (#8627)Sorin Davidoi
Will clear the browser's cache, cookies and storage. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data https://w3c.github.io/webappsec-clear-site-data/
2018-09-03Allow to show a specific status in the admin interfaceThibaut Girka
2018-09-03Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: README.md Discarded upstream changes to the README, kept our version.
2018-09-02Whitelist report notification param in Settings::NotificationsController (#8560)Eugen Rochko
Bug in #8559
2018-09-02Add preference for report notification e-mails, skip for duplicates (#8559)Eugen Rochko
If an unresolved report for the same target account already exists, no new notification is generated
2018-08-31Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/views/stream_entries/_simple_status.html.haml - config/locales/nl.yml Deleted unused translation strings (themes) and adapted minor changes to _simple_status.html.haml
2018-08-31Self-notify on accepting follow requests (#8541)ThibG
2018-08-30Add animate custom emoji param to embed pages (#8507)Renato "Lond" Cerqueira
* Add animate custom emoji param to embed pages * Rename param, use it for avatars and gifs * Fix issues pointed by codeclimate and breaking test * Ignore brakeman warning
2018-08-27Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/controllers/api/v1/mutes_controller.rb config/locales/simple_form.pl.yml
2018-08-26Make Api::V1::MutesController paginate properly (#8472)Jakub Mendyk
Fixes #8463
2018-08-26Fix low-hanging rubocop gripes (#8458)Quint Guvernator
* rubocop: quit being so picky * rubocop: miscellany * rubocop: prefer present to blank
2018-08-24Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/controllers/application_controller.rb Changed instance theme selection by instance flavour selection.
2018-08-24Add admin custom CSS setting (#8399)Eugen Rochko
Fix #3894
2018-08-23Allow mods to disable login, improve message when login disabled (#8329)Eugen Rochko
* Allow moderators to disable/enable login * Instead of rejecting login, show forbidden error when login disabled Avoid confusion because when login is rejected, the message is that the account is not activated, which is wrong. * Fix tests
2018-08-23Fix regression when suspending not from report (#8400)Eugen Rochko
Regression from #8353
2018-08-23Add ability to change an instance default theme from the administration ↵Jakub Mendyk
panel (#7092) (#8381) * Add default_settings class method to ScopedSettings ScopedSettings was extended to use value of unscoped setting instead of only using defaults set in config/settings.yml for selected settings. This adds possibility for admins to set default values of users' settings, for example default theme (as requested in #7092). * Add ability to change an instance default theme Closes #7092
2018-08-22Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-08-22Override CSP setting in the embed controller to allow framesThibaut Girka
2018-08-22Add confirmation step to account suspensions (#8353)Eugen Rochko
* Add confirmation page for suspensions * Suspension confirmation closes reports, linked from report UI * Fix tests
2018-08-21Merge branch 'master' into glitch-soc/masterThibaut Girka
Conflicts: config/routes.rb Added the “endorsements” route from upstream.
2018-08-20Add API endpoint to list featured accounts (fixes #8315) (#8317)ThibG
2018-08-19Unuse ActiveRecord::Base#cache_key (#8185)abcang
* Unuse ActiveRecord::Base#cache_key * Enable cache_versioning * Call cache_collection
2018-08-19Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-08-19Add admin function to deactivate all invites (#8279)Eugen Rochko
Fix #8261
2018-08-18Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: .circleci/config.yml app/controllers/authorize_follows_controller.rb app/javascript/packs/public.js Moved new stuff from packs/public.js to core/public.js. Added appropriate use_pack in new controllers.
2018-08-18Add remote interaction dialog for toots (#8202)Eugen Rochko
* Add remote interaction dialog for toots * Change AuthorizeFollow into AuthorizeInteraction, support statuses * Update brakeman.ignore * Adjust how interaction buttons are display on public pages * Fix tests
2018-08-17Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/models/status.rb db/migrate/20180528141303_fix_accounts_unique_index.rb db/schema.rb Resolved by taking upstream changes (no real conflicts, just glitch-soc specific code too close to actual changes).
2018-08-16Do not error out when performing admin actions on no statuses (#8220)ThibG
Fixes the other issue with #8168
2018-08-11Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka